Why is Sha2 prioritized over Sha3 as base hash algorithm? #2615
-
|
In the libspdm_get_response_algorithms function, priority table for hash algorithm ( ) prioritizes Sha2 over Sha3. Is there any specific reason for this? Shouldn't Sha3 be prioritized over Sha2 as it is more secure? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
No. See #121. In particular, if a Responder supports more than one algorithm then it should be up to the Integrator to determine priority. However, anecdotally, most Responder devices only support one algorithm family (SHA2 XOR SHA3), and even then only one algorithm within that family, and so that decision typically doesn't have to be made.
You mean it's more secure as it does not have to worry about length extension attacks? While SHA2 is susceptible to length extension attacks, algorithms that incorporate SHA2, such as HMAC, are able to mitigate that issue. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. This helps. |
Beta Was this translation helpful? Give feedback.
-
Would you please clarify which document says: SHA3 is more secure than SHA2? |
Beta Was this translation helpful? Give feedback.
No. See #121. In particular, if a Responder supports more than one algorithm then it should be up to the Integrator to determine priority. However, anecdotally, most Responder devices only support one algorithm family (SHA2 XOR SHA3), and even then only one algorithm within that family, and so that decision typically doesn't have to be made.
You mean it's more secure as it does not have to worry about length extension attacks? While SHA2 is susceptible to length extension attacks, algorithms that incorporate SHA2, such as HMAC, are able to mitigate that issue.